diff options
| author | José Luis Lafuente <jl@lafuente.me> | 2021-08-12 22:02:12 +0200 |
|---|---|---|
| committer | José Luis Lafuente <jl@lafuente.me> | 2021-08-12 22:02:12 +0200 |
| commit | 679d54dcb3d205f989cd77fbe7a557c94c15d596 (patch) | |
| tree | 14884e3b9c06d1aeb5b25de896a3f9b7fe4bbb84 /nixos/modules/services/web-servers | |
| parent | 9df2cb074d72ea80ac9fd225b29060c8cf13dd39 (diff) | |
| download | nixpkgs-679d54dcb3d205f989cd77fbe7a557c94c15d596.tar nixpkgs-679d54dcb3d205f989cd77fbe7a557c94c15d596.tar.gz nixpkgs-679d54dcb3d205f989cd77fbe7a557c94c15d596.tar.bz2 nixpkgs-679d54dcb3d205f989cd77fbe7a557c94c15d596.tar.lz nixpkgs-679d54dcb3d205f989cd77fbe7a557c94c15d596.tar.xz nixpkgs-679d54dcb3d205f989cd77fbe7a557c94c15d596.tar.zst nixpkgs-679d54dcb3d205f989cd77fbe7a557c94c15d596.zip | |
nixos/caddy: update ca option
The generated json configuration returns this warning: the 'issuer' field is deprecated and will be removed in the future; use 'issuers' instead Updated the config to use "issuers" instead of "issuer" Also, now it's possible to set the ca option null to not inject automatically any ca. This is useful if you don't want to generate any certificates or if you want to define a more fine-graned ca config manually (e.g.: use different ca per domain)
Diffstat (limited to 'nixos/modules/services/web-servers')
| -rw-r--r-- | nixos/modules/services/web-servers/caddy.nix | 48 |
1 files changed, 29 insertions, 19 deletions
diff --git a/nixos/modules/services/web-servers/caddy.nix b/nixos/modules/services/web-servers/caddy.nix index 955b9756406..b0565fcea16 100644 --- a/nixos/modules/services/web-servers/caddy.nix +++ b/nixos/modules/services/web-servers/caddy.nix @@ -8,10 +8,10 @@ let tlsConfig = { apps.tls.automation.policies = [{ - issuer = { + issuers = [{ inherit (cfg) ca email; module = "acme"; - }; + }]; }]; }; @@ -23,23 +23,28 @@ let # merge the TLS config options we expose with the ones originating in the Caddyfile configJSON = - let tlsConfigMerge = '' - {"apps": - {"tls": - {"automation": - {"policies": - (if .[0].apps.tls.automation.policies == .[1]?.apps.tls.automation.policies - then .[0].apps.tls.automation.policies - else (.[0].apps.tls.automation.policies + .[1]?.apps.tls.automation.policies) - end) + if cfg.ca != null then + let tlsConfigMerge = '' + {"apps": + {"tls": + {"automation": + {"policies": + (if .[0].apps.tls.automation.policies == .[1]?.apps.tls.automation.policies + then .[0].apps.tls.automation.policies + else (.[0].apps.tls.automation.policies + .[1]?.apps.tls.automation.policies) + end) + } } } - } - }''; - in pkgs.runCommand "caddy-config.json" { } '' - ${pkgs.jq}/bin/jq -s '.[0] * ${tlsConfigMerge}' ${adaptedConfig} ${tlsJSON} > $out - ''; -in { + }''; + in + pkgs.runCommand "caddy-config.json" { } '' + ${pkgs.jq}/bin/jq -s '.[0] * ${tlsConfigMerge}' ${adaptedConfig} ${tlsJSON} > $out + '' + else + adaptedConfig; +in +{ imports = [ (mkRemovedOptionModule [ "services" "caddy" "agree" ] "this option is no longer necessary for Caddy 2") ]; @@ -88,8 +93,13 @@ in { ca = mkOption { default = "https://acme-v02.api.letsencrypt.org/directory"; example = "https://acme-staging-v02.api.letsencrypt.org/directory"; - type = types.str; - description = "Certificate authority ACME server. The default (Let's Encrypt production server) should be fine for most people."; + type = types.nullOr types.str; + description = '' + Certificate authority ACME server. The default (Let's Encrypt + production server) should be fine for most people. Set it to null if + you don't want to include any authority (or if you want to write a more + fine-graned configuration manually) + ''; }; email = mkOption { |